Post navigation

When passwords attack: the problem with aggressive password policies

This post is about the complexity of passwords used for computers in a work environment. Its elaborating on how passwords are getting to complex and making people want to write down there passwords on a sticky pad and place it some were on their desk. There is totally a security issue with this people that just handing out trouble. I see why employee choose to do this because it’s a hassle but they need to be informed that there is a part of their job to keep the network secure and it should be enforced by using a sense of audits by checking peoples monitor. I don’t ever think that people would do this in a corporate environment because it’s just not right because people are very sensitive about being called out on things they have done.

Regardless of how much a “hassle” it is, they shouldn’t be doing it. They should think how much of a “hassle” it would be if someone stole something. Let alone trying to explain to your boss why you made such a mistake. Or explaining to a prospective employer at the subsequent interview why you were fired from your last job. Fact is, it’s just better not to do it. If they’re having a hard time remembering it, there are various tips and tricks to making a solid password while making it easier for the individual to remember it.

I think it just comes down to a matter of remembering it. Extremely long passwords are ridiculous and may not be necessary but long does not necessarily constitute complex. Most websites/applications nowadays tell you to pick something, perhaps a significant word, (not your name or anything related to you), use an uppercase letter, and a number. Following that policy can actually work out fine because you will more likely remember such word associated by such number. Also, it gives a hacker more to think about, because there are millions of combinations of letters and numbers to constitute a password, and that could just be 6 characters! Writing down passwords are so much more risky than just resetting it all together. When you think about it, resetting a password is good because the longer you have one, the greater the chances of someone having an idea about it. Don’t write it down, there’s no excuse. It’s better to be safe than sorry.

there’s another aspect to this as well, which is that we tell everyone not to use the same password for multiple accounts. I can make myself remember a difficult password, the trouble comes when I have to remember which password belongs to which account. We’re just sort of shooting ourselves in foot here trying to be more secure.

On the contrary, I think that some institutions are not doing enough. I had to change my RIT password the other day and I was shocked that you are not allowed to use anything but numbers and letters. You can’t use any symbols.